A cyberattack waged against Seoul this year has put Web security firms on the trail of a malicious code first spotted in 2007 that
seems to be directed at spying on US forces in South Korea and the South’s forces that officials say have been traced back to Pyongyang

By Yonkyung Lee and Martha Mendoza / AP, SEOUL and SAN JOSE, California

The report does not identify the government networks that were targeted, but does mention that in 2009, the code was used to infect a social media site used by military personnel living in South Korea. McAfee did not name the military social media site, nor release what language it is in, at the request of US authorities, who cited security issues. South Korea has a military force of 639,000 people and the US has 28,500 military personnel based in the country.

McAfee also said it listed only some of the keywords the malware searched for in its report. It said it withheld many other keywords that indicated the targeting of classified material, at the request of US officials, due to the sensitivity of releasing specific names and programs.

Choi has made similar discoveries through IssueMakersLab, a research group he and other “white-hat” hackers created.

Results of a report Choi produced were published in April by Boan News, a Seoul-based Web site focused on South Korean security issues, but they did not get broad attention. That report included many search terms not targeted in the McAfee report, including the English-language equivalents of Korean keywords.

Both McAfee and IssueMakersLab found that any documents, reports and even PowerPoint files with military keywords on infected computers would have been copied and sent back to the attackers.

The attackers are also able to erase hard drives en masse by uploading malware and sending remote-control commands, which is what happened on March 20.

Before that attack, hackers had been sending spy malware on domestic networks for months, giving them the ability to gather information about how their internal servers work, what Web sites the users visit and which computers are responsible for security, the researchers found. This information would have been crucial for planning the coordinated attacks on banks and TV networks.

Anti-virus software and safe practices such as avoiding links and attachments on suspicious e-mails can prevent computers from infection, but the March attack shows how difficult this can be to accomplish on a broad scale. Ironically, some of the malicious codes used were disguised as an anti-virus product from Ahnlab Inc, South Korea’s largest anti-virus maker, McAfee said.

McAfee said it shared its findings with US authorities in Seoul who are in close collaboration with South Korean military authorities.

Tim Junio, who studies cyberattacks at Stanford University’s Center for International Security and Cooperation, said the McAfee report provides “pretty compelling evidence that North Korea is responsible” for the attacks in the South by tying the series of hacks to a single source and by showing that users of a military social media site were targeted.

There are clues in the code as well. For example, a password, used over the years to unlock encrypted files, had the number 38 in it, a politically loaded figure for two countries divided on the 38th parallel, security experts said.